Updated COPY commands

[catorreMC]

Added the built-in chmod/chown flags to improve build time. Removed standalone chmod and chown RUN commands, and removed all chmod/chown operations from the builder container. Will and I elected to keep the chmod and chown commands in the app stage of the image because they serve as a precautionary measure, and removing them makes no positive or negative impact on performance or space, and do not impact the legibility of the file.

On my machine, this improved build time from 2604 seconds to 309 - an 88 percent decrease. Pending further testing on other machines, as mine appeared to run it dramatically slower than others.

Dockerfile.lite still needs to be updated accordingly.

[Amndeep7]

can we explore using 'copy --link' (https://docs.docker.com/engine/reference/builder/#copy---link) to see if we can make these copy layers more independent?

[catorreMC]

I'll give this a look. Surprised I hadn't seen it before.

[Amndeep7]

why do the copies start doing absolute paths for the copy instead of relative like we have been?

[catorreMC]

Good question - I didn't change that part of the line, but I don't have any rationale for keeping it that way. That could be changed for consistency.

[aaronlippold]

It seems to me that this container should be running as either a heimdall user or a heimdallapp or nodeapp or something like that - and thus in the final build layer there should be commands making sure all the data on the image is owned by that user:

COPY --from=build /usr/bin/dumb-init /usr/bin/dumb-init
USER node
WORKDIR /usr/src/app
COPY --chown=node:node --from=build /usr/src/app/node_modules /usr/src/app/node_modules
COPY --chown=node:node . /usr/src/app

chmod,chwon commands can be joined and they can also be recessive. So I can chown -R user:group <path>
next
The files and folders on the system, I would think, only need at max: 00640 for -type f and 00750 -type d although enabling the stickly bit on all directory structures in the base layers with the right mask may save some time an effort here. However this may be showing a bug that would mean we may have to be more hands on with managing this.

https://forums.docker.com/t/permissions-issue-with-compose-build-vs-docker-build/7775

[Amndeep7]

It seems to me that this container should be running as either a heimdall user or a heimdallapp or nodeapp or something like that - and thus in the final build layer there should be commands making sure all the data on the image is owned by that user:

That's why we have that 'node' user. They've basically done the work to properly create a different user account from root and we can do whatever we want with it now as opposed to having to manually create a 'heimdall' user.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[mergify]

This pull request has a conflict. Could you fix it @catorreMC?

[mergify]

This pull request has a conflict. Could you fix it @catorreMC?

[mergify]

This pull request has a conflict. Could you fix it @catorreMC?

[mergify]

This pull request has a conflict. Could you fix it @catorreMC?